Hierarchical Deterministic Wallets · 2019. 9. 10. · Wallets & gap limits Gap limit – number of addresses in bip32 tree to check when scanning the blockchain When to stop scanning?

Hierarchical Deterministic Wallets

Tel Aviv, IsraelSeptember 2019

Bryan Bishop

0E4C A12B E16B E691 56F5 40C9 984F 10CC 7716 9FD2

whoami

● Bryan Bishop● Software development background● Previously @ LedgerX (4 years!)● Bitcoin Core contributor● Biotech projects● Transcripts - https://diyhpl.us/wiki/transcripts● Follow me @ https://twitter.com/kanzure

https://ledgerx.com/blog/2018/7/25/reflecting-on-time-well-spent-at-ledgerx

Conflict of interest slide (Just kidding)

Academic support

Other supporting orgs

What is an HD wallet, briefly?

● Indeterministic wallet: random keys every time– Lots of horror stories of lost keys– Remember to backup your wallet!– Sweep to new change address -> ded.

https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

Deterministic wallet: random key, but only once

– Backup the random master seed– Armory originally implemented deterministic

wallets, but it was a giant pool of addresses

Hierarchical deterministic (HD) wallets

– Backup the master private key (master seed)– Many deterministic subwallets– Address reuse bad

Previously on Bitcoin Edge Dev++ (2018)

● James Chiang gave an excellent presentation on bip32:– video: https://www.youtube.com/watch?

v=OVvue2dXkJo– transcript:

https://diyhpl.us/wiki/transcripts/scalingbitcoin/tokyo-2018/edgedevplusplus/hierarchical-deterministic-wallets/

● Most of the diagrams in this presentation are from his slides.

bip32 overview

bip32 Child Key Derivation Paths (bip32 paths)

More bip32 paths

● m/0● m/1/2/3/1, m/1/2/3/2, m/1/2/3/3, m/1/2/3/4, etc.● m/1/2'● m/1/2'/3'● m/1/2'/3/4'● m/1'/2/3'/4/5'● etc...

Master key pair derivation

Child key pair derivation, part 1

Child key pair derivation, part 2

Hardened HD children

Hardened HD children

Vulnerability: Private key exposure

● This is where hardened keys are useful.● Note that exposing any child private key and the

chaincode results in leaking the private key for the higher levels.

● Hardened keys mitigate this. Hardened keys protect their parent nodes from "downstream" leaks.

Wallets & gap limits

● Gap limit – number of addresses in bip32 tree to check when scanning the blockchain

● When to stop scanning?● What if a user hands out a receiving address for

a specific purpose, and then, since the user is a good user and doesn't reuse addresses, never uses it again? There can be large "gaps".

● Gap limit is usually set to 20 but it's arbitrary.

Quaint "use cases" specified in bip32 spec

● Some of these seem almost historical, has anyone read these in a while? Take a look....

● "Full wallet sharing" between nodes that both need to spend coins (what?)

● Audits: share extended public keys and the auditor can derive child addresses.

● Recurrent business-to-business transactions: Use an incrementing bip32 path off of some bip32 key.

● Receive-only wallet, like for a merchant's online webserver selling some items.

Software libraries

● bx tool (libbitcoin)● pycoin (python)● bcwallet (python)● hdkey (javascript)

● I usually go with "pycoin". Buyer beware for the others; I don't have specific experience with those.

bip44

● "Multi-account hierarchy for deterministic wallets"● Basically, a standard that recommends a specific

hierarchy and labeled purposes for each level in the hierarchy.

● It's basically this:– m / purpose' / coin_type' / account' / change /

address_index● https://github.com/bitcoin/bips/blob/master/bip-

0044.mediawiki

Hierarchical Deterministic Wallets

Tel Aviv, IsraelSeptember 2019

Bryan Bishop

0E4C A12B E16B E691 56F5 40C9 984F 10CC 7716 9FD2

https://twitter.com/kanzurehttps://twitter.com/thebitcoinedge

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Slide 15Slide 16Slide 17Slide 18Slide 19Slide 20Slide 21